b'AUDIT OF THE TIME AND ATTENDANCE PROCESSING\n      SYSTEM DEVELOPMENT PROJECT (II)\n\n\n              Audit Report No. 99-011\n                February 17, 1999\n\n\n\n\n             OFFICE OF AUDITS\n\n       OFFICE OF INSPECTOR GENERAL\n\x0c                      TABLE OF CONTENTS\n\n\nBACKGROUND                                                                 2\n\nOBJECTIVES, SCOPE, AND METHODOLOGY                                         3\n\nRESULTS OF AUDIT                                                           4\n\nKEY TAPS DECISIONS NOT BASED ON SDLC METHODOLOGY                           4\n\n    Feasibility and Cost-Benefit of Alternative Solutions Not Considered   5\n\n    Key Assumption for Proceeding with TAPS Based on Inaccurate\n    Information                                                            8\n\n    Recommendations                                                        9\n\nDIRM\'S CONTRACT MANAGEMENT NEEDS IMPROVEMENT                               9\n\n    Contract Initiation                                                    10\n\n    Recommendations                                                        11\n\n    Contractor Oversight Not Effective                                     12\n\n    Recommendations                                                        13\n\nDIRM\'S INTERNAL CONTROL PROCESS WAS NOT EFFECTIVE                          14\n\n    Recommendation                                                         14\n\nCORPORATION COMMENTS AND OIG EVALUATION                                    14\n\nAPPENDIX I \xe2\x80\x93 CHRONOLOGY OF KEY TAPS DATES                                  16\n\nAPPENDIX II \xe2\x80\x93 CORPORATION COMMENTS                                         18\n\nAPPENDIX III \xe2\x80\x93 MANAGEMENT RESPONSES TO RECOMMENDATIONS                     25\n\x0cFederal Deposit Insurance Corporation                                                        Office of Audits\nWashington, D.C. 20434                                                          Office of Inspector General\n\n\n\n\n   DATE:                     February 17, 1999\n\n   TO:                       Donald C. Demitros, Director\n                             Division of Information Resources Management\n\n                             John Lynn, Acting Director\n                             Division of Administration\n\n\n   FROM:                     David H. Loewenstein\n                             Assistant Inspector General\n\n\n   SUBJECT:                  Report Entitled Audit of the Time and Attendance Processing System\n                             Development Project (II)\n                             (Audit Report No. 99-011)\n\n\n   The Office of Inspector General (OIG) has completed an audit of the Federal Deposit Insurance\n   Corporation\xe2\x80\x99s (FDIC) Time and Attendance Processing System (TAPS) development project.\n   This report presents a summary of the TAPS development project and serves as a \xe2\x80\x9clessons\n   learned\xe2\x80\x9d document for the FDIC\'s use in managing future development projects, including the\n   Corporation\xe2\x80\x99s current efforts on a system to support the processing of personnel information.\n   Our report includes eight recommendations for incorporating needed controls into the Division\n   of Information Resources Management\xe2\x80\x99s (DIRM) system development and contracting\n   processes. FDIC\xe2\x80\x99s lack of adherence to established and generally accepted system development\n   life cycle (SDLC) procedures and DIRM\xe2\x80\x99s ineffective contractor oversight practices contributed\n   to the failure of TAPS and resulted in the unnecessary expenditure of significant corporate\n   resources.\n\n\n   BACKGROUND\n\n   The OIG initiated an audit of the FDIC\xe2\x80\x99s TAPS development project in November 1996. In June\n   1997, we met with management to discuss our concerns and preliminary recommendations\n   regarding the TAPS development process to that point. On September 29, 1997, we issued a\n   final audit report entitled Audit of the Time and Attendance Processing System (TAPS)\n   Development Project (Audit Report No. 97-106). This report paralleled our earlier discussions\n   with management and identified three issues that the FDIC needed to address to improve the\n\n\n                                                  2\n\x0cTAPS development process. First, FDIC management did not have the information needed to\nmake informed decisions regarding the development approaches for TAPS because the project\nteam did not adhere to generally accepted system development methodologies when developing\ncost-benefit and feasibility analyses. In addition, FDIC management and project personnel did\nnot have the information needed to properly manage the TAPS development effort because\nprogress reports did not compare results being achieved to projected costs, benefits, and risks.\nFinally, the project team increased the risks associated with a successful completion of the\nproject by deviating from accepted SDLC methodologies and performing design and\ndevelopment work before functional requirements were finalized. These issues seriously\nimpaired management\xe2\x80\x99s decision-making ability regarding the viability of the project and\nresulted in additional costs and resource consumption to re-perform many efforts already\ncompleted.\n\nFDIC management agreed with our findings and recommendations and committed to following a\nstructured approach for developing TAPS. On October 22, 1997, the FDIC\'s Audit Committee\nrequested that the Office of Internal Control Management (OICM) perform a review to\ndetermine the effectiveness of the project\xe2\x80\x99s internal controls and identify where internal controls\nmay have broken down in the SDLC process. On March 18, 1998, OICM issued its report,\nwhich reiterated the issues identified by our office and contained several additional\nrecommendations.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of the audit were to determine whether (1) the TAPS development was adhering\nto established and generally accepted SDLC procedures, (2) user requirements had been\nadequately defined, (3) system deliverables satisfied user requirements in a cost-effective and\ntimely manner, and (4) adequate internal controls were incorporated into the design of the\nsystem. Because management discontinued the TAPS development effort before finalizing\nrequirement and development activity, we were unable determine whether adequate internal\ncontrols had been incorporated into TAPS.\n\nTo accomplish our other audit objectives, we interviewed DIRM, Division of Administration\n(DOA), and contractor personnel responsible for developing TAPS. We also analyzed\ndocumentation prepared during the development process, including planning documents, project\nstatus reports, draft requirements documents, and design documents. In addition, we reviewed\ncurrent policies and procedures related to the FDIC\xe2\x80\x99s SDLC methodology and attended TAPS\nSteering Committee meetings and other TAPS project meetings. The TAPS Steering Committee\nwas comprised of senior management officials who made decisions on approaches regarding\nTAPS. Because of the time-sensitive nature of the TAPS development project, we met with\nDIRM and DOA personnel frequently throughout the audit to discuss our preliminary\nrecommendations.\n\nWe conducted our audit between November 1996 and August 1998 in accordance with generally\naccepted government auditing standards.\n\n\n\n\n                                                 3\n\x0cRESULTS OF AUDIT\n\nAlthough management committed to improving FDIC\'s development practices related to TAPS\nin response to recommendations made by our office and OICM, DIRM and DOA continued to\ndeviate from FDIC\xe2\x80\x99s SDLC process. Throughout our fieldwork, we advised TAPS program\npersonnel and the TAPS Steering Committee about the project\'s lack of adherence to the FDIC\'s\nSDLC process. Specifically, we raised concerns about the quality, completeness, and accuracy\nof cost-benefit information being provided to management for decision-making purposes. We\ninformed DIRM and DOA management that the lack of current, accurate, and complete\nfeasibility and cost-benefit information on TAPS was seriously impairing senior management\'s\ndecision-making ability regarding the project. However, management disregarded our concerns\nand deviated from generally accepted SDLC approaches throughout the life of the project.\n\nFollowing our earlier report, DIRM and DOA again proceeded with design and development\nwork before fully defining user requirements. In addition, the FDIC did not effectively manage\nthe development of TAPS, and contractor oversight was not effective. These actions resulted in\nthe unnecessary expenditure of at least $6.5 million and ultimately contributed to management\'s\ndecision to discontinue the project.\n\nIn June 1998, the FDIC discontinued the TAPS development effort because of design\ncomplexities caused by DIRM\xe2\x80\x99s failure to freeze requirements for the system. Shortly after the\nproject was discontinued, we met with the Directors of DIRM and DOA to discuss our final\nconclusions regarding TAPS and to provide these management officials with our proposed\nrecommendations for managing future information technology (IT) efforts. These\nrecommendations, which are contained in this report, are aimed at ensuring that (1) management\nhas the information needed to make informed decisions regarding whether and how to proceed\nwith future development efforts, (2) DIRM disciplines itself to completing initial development\nphases before proceeding to subsequent phases of development projects, and (3) project status\ninformation and contractor oversight is improved so that management is aware of changes in\nschedule, cost, and risk. Many of the recommendations contained in this report are similar to\nrecommendations contained in earlier OIG reports. We are restating the recommendations in this\nreport because of DIRM\xe2\x80\x99s failure to effectively address the recommendations in the past.\n\n\nKEY TAPS DECISIONS NOT BASED ON SDLC METHODOLOGY\n\nShortly following our initial involvement with the TAPS project in 1996, we began raising\nconcerns about the quality, completeness, and accuracy of cost-benefit information provided to\nmanagement for decision-making purposes. The lack of current, accurate, and complete\nfeasibility and cost-benefit information seriously impaired management\'s decision-making ability\nregarding TAPS and resulted in the unnecessary expenditure of significant corporate resources.\nDespite management\xe2\x80\x99s commitment to improve its adherence to accepted SDLC methodologies\nand, thereby, improve information supporting management decisions, the FDIC continued to\ndeviate from accepted practices throughout the project. The FDIC\xe2\x80\x99s actions throughout the\nTAPS development process continued to increase the risk associated with the project, resulted in\n\n\n\n\n                                               4\n\x0cever-increasing expenditures of unnecessary funds, and ultimately resulted in the discontinuance\nof TAPS development efforts.\n\n\nFeasibility and Cost-Benefit of Alternative Solutions Not Considered\n\nThroughout the development process, DIRM and DOA repeatedly took actions and expended\nfunds toward the in-house development of an automated time and attendance system without\nformally evaluating the feasibility or cost-benefit of alternative solutions. Despite encountering\nsignificant problems throughout the project and committing to improve the planning process\nrelated to TAPS, DIRM and DOA did not re-evaluate their original course of action.\n\nThe purpose of a feasibility study is to provide senior management with: (1) an analysis of the\nproject\'s objectives, requirements, and system concepts; (2) an evaluation of alternative\napproaches; and (3) a recommended approach. The purpose of a cost-benefit analysis (CBA) is\nto provide management with adequate cost and benefit information to analyze and evaluate\nalternative approaches. Because the structures of feasibility studies and CBAs are so similar,\nFDIC\'s SDLC Manual allows them to be combined.\n\nDIRM and DOA developed an initial risk assessment, dated June 1995, and a CBA, dated July\n1995, to support their decision to proceed with the in-house development of TAPS. However,\nthese analyses did not use full life cycle cost data or formally evaluate alternative solutions, such\nas implementing only the Corporate Time and Attendance Worksheet (CTAW), modifying a\ncommercial-off-the-shelf system, or modifying an existing system developed by another federal\nentity. In addition, TAPS cost-benefit information did not evaluate technical, cost, or schedule\nrisks associated with the project or revisit original assumptions when significant changes took\nplace in the project\'s scope, cost, and schedule. We also noted that estimated cost savings\nattributed to the development and implementation of TAPS were overly optimistic.\n\nWe met with DOA\'s TAPS program manager on May 2, 1997 to discuss our concerns regarding\nthe limitations of the TAPS risk assessment and cost-benefit analysis. We reiterated our\nconcerns to DOA\'s TAPS program manager on June 11, 1997 when significant changes were\ntaking place in the project\'s scope, cost, and schedule. We advised the DOA project manager\nthat alternative solutions should be formally evaluated and presented to senior management\nbefore proceeding with further TAPS development activities. Despite a verbal commitment to\naddress our concerns, DIRM and DOA management awarded a $1.9 million contract to continue\nthe in-house development of TAPS on July 24, 1997 without the benefit of a thorough and\nenhanced CBA or feasibility study.\n\nOn September 29, 1997, we reported on our concerns regarding the limitations of the TAPS\nCBA and risk assessment in our report entitled Audit of the Time and Attendance Processing\nSystem (TAPS) Development Project (Report No. 97-106). We noted that the TAPS CBA was\nnot supported by adequate documentation and that the assumptions underlying the analysis were\nbased on inaccurate and outdated information. We recommended in the report that DIRM and\nDOA revisit the TAPS CBA and review and update it, as necessary, throughout the development\nlife cycle. We also recommended that DIRM and DOA evaluate the cost-benefit of alternative\n\n\n\n                                                  5\n\x0csolutions to TAPS before continuing with additional development work. DIRM and DOA\nformally agreed to implement our recommendations and committed to following a structured\napproach for developing TAPS.\n\nIn November 1997, OICM initiated a review of the TAPS development project to determine the\neffectiveness of its internal controls and to determine where internal controls may have broken\ndown. OICM\'s report, dated March 18, 1998, reiterated the concerns expressed by our office.\nOICM also determined that DIRM and DOA had informally considered three alternatives to\nTAPS before the project was initiated, but that this effort was cursory in nature and not\nadequately documented.\n\nIn December 1997, 5 months after awarding a contract to continue in-house development of\nTAPS, DIRM and DOA completed revisions to the TAPS CBA. However, these revisions did\nnot include a formal evaluation of alternative solutions. DIRM\xe2\x80\x99s Deputy Director stated that the\nsignificant cost savings projected for in-house development of TAPS would make alternative\nsolutions non-viable. However, FDIC could not make informed decisions on the viability of\nother alternatives without such a study. Further, the projected cost savings for TAPS continued\nto be overly optimistic. The projected cost savings were outdated and based on a limited\nanalysis performed in 1995. The projected savings were based primarily on a reduction in\nemployee time to enter and process time and attendance information. However, the time savings\nprojections were unsupported and optimistic. Further, some of the projected timesavings still\nbeing cited by DIRM and DOA in 1997, even if realistic, would have already been achieved\nthrough the implementation of the FDIC\xe2\x80\x99s CTAW in 1996.\n\nOICM recommended in its March 18, 1998 report that DIRM and DOA document the required\ncomponents of a CBA and perform reviews of the projections and assumptions at various points\nduring the SDLC. During this same time frame, FDIC was encountering significant problems in\naddressing TAPS requirements and designing a system architecture. A system architecture\nprovides the structure for data and automated processes that the application will employ to\nsupport user requirements. However, despite these problems and management\'s commitment to\naddress the concerns raised in the OICM and OIG reports, DIRM and DOA increased the value\nof the existing contract by 25 percent on March 18, 1998 without reconsidering the costs and\nbenefits cited in the December 1997 CBA.\n\nOn March 31, 1998, DIRM documented a cursory review of three alternatives to TAPS that had\nbeen performed in 1995. The 1995 analysis had concluded that the alternatives were not viable\nsolutions for the FDIC\'s time and attendance requirements. However, this analysis was flawed\nbecause the FDIC\xe2\x80\x99s time and attendance requirements had not been defined at that time. In\naddition, the FDIC\xe2\x80\x99s actions to merely document prior analyses did not address the status of\nalternatives in 1998, because TAPS requirements had been significantly modified on several\noccasions throughout the development effort. When FDIC documented this 1995 analysis in\nMarch 1998, it did not evaluate new potential solutions or re-evaluate potential solutions\nconsidered immature in 1995.\n\n\n\n\n                                               6\n\x0cIn May and June 1998, DOA began to question the assumptions underlying the projected cost\nsavings associated with the development and implementation of TAPS. On May 12, 1998,\nDIRM and DOA revised the estimated cost savings attributed to TAPS from $15.2 million to\n$12.9 million over 5 years. DIRM and DOA further revised the estimated costs savings of TAPS\non May 19, 1998 from $12.9 million to $1.5 million over 5 years. This more realistic evaluation\nof TAPS cost savings should have been performed as early as June 1997, when significant\nchanges began taking place in the project\'s scope, cost, and schedule. Management would have\nhad more accurate and meaningful information on which to base its decisions had such an\nanalysis been performed in June 1997 when TAPS development efforts were being re-directed\nbecause of significant problems or at other times when major changes occurred in TAPS risks,\ncosts, and schedules.\n\nOn May 21, 1998, DIRM and DOA awarded two additional contracts valued at approximately\n$1.8 million to continue development of TAPS, again without the benefit of a thorough and\nenhanced CBA. The TAPS Steering Committee justified the continued development of TAPS,\ndespite the drastic reduction in estimated cost savings, on the premise that TAPS would "correct\na deficiency in controls that was identified in a 1995 General Accounting Office (GAO) audit."\nHowever, as discussed in the following section of this report, this information was not accurate\nbecause GAO had no outstanding issues relating to the FDIC\'s time and attendance processes\nafter 1995. We advised the TAPS Steering Committee that the deficiencies cited by GAO in its\n1995 and prior year audit reports had already been corrected by FDIC in 1996. However,\nSteering Committee members disputed our statements.\n\nOn June 30, 1998, after expending at least $6.5 million on TAPS development and obtaining\nonly a functional requirements document and external design document, the TAPS Steering\nCommittee decided to discontinue the project.1 In July 1998, DIRM and DOA began researching\nthe feasibility of an integrated personnel system to be called the Corporate Human Resources\nInformation System (CHRIS).\n\nFDIC management\xe2\x80\x99s inability to make informed decisions regarding TAPS development can be\nattributed, in part, to confusion on the part of DIRM and DOA officials regarding the FDIC\'s\nown SDLC procedures. In a February 19, 1998 memorandum discussing OICM\'s review, the\nDeputy Directors of DIRM and DOA stated "There was no FDIC SDLC in 1995." The officials\nalso stated "There are two versions of the FDIC SDLC, a March 1996 version and a July 1997\nversion; the March 1996 has no standard CBA format or structure and the July 1997 version does\nnot require a CBA for any project."\n\nDespite the assertions of these officials, the FDIC did have a SDLC process in 1995, the\nElectronic Data Processing (EDP) Project Guide. The FDIC\'s EDP Project Guide, which was\nbased on the METHOD/1 SDLC methodology that FDIC purchased from Arthur Andersen in\n1989, required a feasibility study and CBA during the planning phase of an IT project. Although\nDIRM updated the FDIC\'s SDLC process in March 1996, the March 1996 version required a\nfeasibility study and CBA for major IT projects. The March 1996 version also required system\ndevelopers to update CBAs when significant changes occurred in a project\'s cost, scope, or\n\n1\n  We were unable to determine the total costs related to TAPS because the FDIC did not track all costs incurred\nthroughout the project.\n\n\n                                                           7\n\x0cschedule. DIRM again updated the FDIC\'s SDLC process in July 1997. The July 1997 version\nalso required a feasibility study and CBA for major IT projects.\n\nAs the FDIC pursues a new direction to satisfy the FDIC\'s personnel processing requirements,\nwe believe that DIRM and DOA should follow generally accepted SDLC practices and formally\nevaluate the feasibility and cost-benefit of alternative solutions. The FDIC\'s SDLC Manual\nrequires that a feasibility study and CBA be completed before committing full life cycle\nresources. Other government and industry guidelines also stress the importance of feasibility\nstudies and CBAs. For example, Evaluating Information Technology Investments, a practical\nguide issued jointly by the Office of Management and Budget (OMB) and GAO in November\n1996, recommends that management evaluate the cost-benefits and risks of IT projects before\nmaking significant investments in those projects. We also believe that the results of DIRM\xe2\x80\x99s and\nDOA\'s evaluation should be presented to the FDIC\'s IT Council for approval before investing\nsignificant life cycle resources or executing additional contracting actions. The FDIC\xe2\x80\x99s IT\nCouncil is responsible for ensuring that strategic IT planning is performed from a corporate\nperspective.\n\nProposed changes to the FDIC\'s SDLC Manual would require that CBAs be updated and\napproved by DIRM\xe2\x80\x99s Deputy Director when significant changes occur in the project\'s scope,\nestimated resources, or timeframes. While updating CBAs throughout a project\'s life cycle is\nconsistent with sound business practices and guidelines, such as OBM Circular A-130, we\nbelieve that subsequent approvals of CBAs should be made at a higher level of management,\nsuch as the IT Council, when significant changes occur in a project\'s scope, cost, or schedule.\n\n\nKey Assumption for Proceeding with TAPS Based on Inaccurate Information\n\nOne of the FDIC\'s key assumptions for continuing with the TAPS project was based on\ninaccurate information. Specifically, cost-benefit information used by senior management\nthroughout the project assumed that implementing TAPS would correct certain internal control\nweaknesses that had been reported by GAO in prior year financial statement audit reports. In its\naudit of FDIC\'s 1995 financial statements, dated July 1996, GAO reported, "As in previous\naudits, our 1995 audits continued to identify deficiencies in adherence to required procedures in\npreparing time and attendance reports, separation of duties between timekeeping and data entry\nfunctions, and reconciliation of payroll reports to time cards."\n\nDuring May and June 1998, when the FDIC drastically reduced the projected cost savings\nattributed to TAPS, senior FDIC management cited benefits for continuing TAPS development\nefforts. These management officials placed particular reliance on the assumption that TAPS\nwould correct the internal control deficiencies noted earlier by GAO. However, the FDIC had\ntaken other actions during 1996 to address GAO\'s internal control concerns related to the FDIC\'s\ntime and attendance processes.\n\nIn its audit of the FDIC\'s 1996 financial statements, dated June 1997, GAO reported, "We found\nthat the implementation of these new procedures effectively addressed the internal control issues\nwe identified in the time and attendance reporting process in our prior year\'s audits." We spoke\n\n\n\n                                                8\n\x0cwith a GAO official and confirmed that the FDIC\'s implementation of time and attendance\nreporting procedures during 1996 had effectively addressed the internal control issues identified\nin GAO\'s prior year audits. The GAO representative also informed us that, as of June 4, 1998,\nthere were no outstanding internal control issues relating to the FDIC\'s time and attendance\nprocesses.\n\nWe advised the TAPS Steering Committee of our research and discussions with GAO on June 9,\n1998. We informed the committee that TAPS was not needed to address earlier GAO concerns\nand that internal control weaknesses cited by GAO in prior years should not be used as a reason\nfor continuing with TAPS development. However, members of the TAPS Steering Committee\ndisputed the information provided and continued with TAPS development activities until the\nproject was ultimately terminated in July 1998. Although management disagreed with the\ninformation we provided them regarding GAO\xe2\x80\x99s lack of time and attendance control concerns,\ntheir current proposal to acquire an integrated corporate human resources system calls for\npostponing implementation of the FDIC\xe2\x80\x99s time and attendance requirements.\n\n\nRecommendations\n\nWe recommend that the Director, Division of Information Resources Management:\n\n(1) Modify the FDIC\xe2\x80\x99s SDLC process to require a formal evaluation of feasibility and cost-\n    benefits for alternative solutions to satisfy the FDIC\'s system development requirements and\n    present this information to the FDIC\'s IT Council for approval before committing significant\n    life cycle resources to a particular alternative.\n\n(2) Maintain current, accurate, and complete cost-benefit information throughout the project and\n    regularly compare this information to that which was relied upon by senior management at\n    the outset of the project.\n\n(3) Revise the FDIC\xe2\x80\x99s SDLC Manual to require project staff to advise senior management when\n    significant deviations occur in the project\'s cost-benefit information, timelines for\n    implementation, or risk and present this information to the FDIC\xe2\x80\x99s IT Council for approval\n    prior to proceeding with the project.\n\n\nDIRM\xe2\x80\x99S CONTRACT MANAGEMENT NEEDS IMPROVEMENT\n\nDespite management\xe2\x80\x99s commitment to follow the FDIC\xe2\x80\x99s structured development approach in\nresponse to recommendations in our initial TAPS audit report, the FDIC entered into several\ncontracts for the design and development of TAPS without first completing and approving user\nrequirements. In addition, the project development schedules and cost estimates used to obtain\nsenior management approval of the TAPS contracts were not supported by detailed analyses or\ndocumentation. We also noted that the terms of the TAPS contracts were broad and did not\nrequire the contractor to provide deliverable products within specified timeframes. Such\ncontracts typically require increased contractor oversight. However, DIRM\'s oversight of the\n\n\n\n                                                9\n\x0cTAPS contractor was ineffective. Contractor concerns were not addressed in a timely manner, if\nat all, and were not regularly communicated to senior management.\n\nThe FDIC\'s SDLC process requires that user requirements be defined, documented, and\napproved before making significant investments in detailed design and development work. The\nFDIC\'s lack of adherence to prescribed SDLC procedures, coupled with DIRM\xe2\x80\x99s ineffective\ncontractor oversight, contributed to project delays, unnecessary costs, and the ultimate\ntermination of TAPS development activities.\n\n\nContract Initiation\n\nIn discussions during May and June 1997 and in our September 1997 report, we advised\nmanagement that the project team had increased the risks associated with a successful\ncompletion of the project by performing design and development work before functional\nrequirements were finalized. We reported that as much as 90 percent of the TAPS design work\nthat had been completed as of June 1997 had to be re-performed because of changes in user\nrequirements.\n\nThe FDIC awarded a $1.9 million contract in July 1997 for the design and development of\nTAPS, again without first completing and approving a functional requirements document (FRD).\nThe FDIC\'s SDLC process requires that user requirements be defined, documented, and\napproved in an FRD before making significant investments in detailed design and development\nwork. The risk in performing development work before requirements have been defined is that if\nbusiness requirements change or do not receive management approval, the investment in the\ndevelopment work may not benefit the project or the Corporation. Validation of requirements\nearly in a system\'s life cycle development is important because failure to validate requirements\ncan result in frequent and expensive changes in later life cycle phases. Given the complexity of\nthe proposed TAPS system, the project team could not have completed TAPS requirements\ndefinition and obtained approval of an FRD by July 1997, which is when the FDIC awarded a\ncontract for the development of TAPS.\n\nThe FDIC\'s contractor recognized that TAPS user requirements had not been completely defined\nor approved when it submitted its contract proposal in July 1997. The contractor proposed that\nthe FDIC\'s requirements first be validated for accuracy and completeness before initiating\ndevelopment work. The contractor also proposed that an evaluation be performed of the TAPS\ndesign to ensure that it correctly translated TAPS requirements into a system that would operate\nproperly in DIRM\'s planned three-tier architecture. DIRM\xe2\x80\x99s three-tier architecture comprises the\nhardware, communications, and operating software for applications processing in a client-server\nenvironment.\n\nThe FDIC\xe2\x80\x99s TAPS Steering Committee approved the award of the TAPS contract without\ndetailed information regarding how DIRM determined that TAPS development and\nimplementation could be completed by February 1998 at a cost of $1.9 million. We spoke with\nthe DIRM oversight manager for TAPS and learned that DIRM had not performed a detailed\nanalysis supporting the projected costs and delivery dates. Subsequent extensions in the project\n\n\n\n                                               10\n\x0cschedule and increases in the project cost indicate that DIRM\'s estimated costs and\nimplementation date were not adequately analyzed.\n\nAs the project progressed, the TAPS project team did not finalize the FRD or the TAPS technical\narchitecture. As discussed in the following section of this report, beginning in August 1997, the\nTAPS contractor expressed concerns that unresolved TAPS requirements and design issues could\nsignificantly affect the project schedule. However, DIRM\'s oversight manager did not\neffectively address these issues in a timely manner.\n\nOn March 18, 1998, the FDIC increased funding under the TAPS contract by $492,423 (25\npercent) to complete development and testing of TAPS. However, the FDIC had still not\ncompleted an FRD or external design document (EDD) for TAPS. An EDD translates the\nrequirements defined in an FRD into a structure that facilitates development of the system. In\naddition, many questions remained regarding the viability of the TAPS, including whether the\ncomplexity of certain requirements could be resolved, what the final versions of the FRD and\nEDD would encompass, and whether in-house development was the most cost-effective\napproach to satisfy the FDIC\'s needs. In spite of these uncertainties and the stated intent of the\nMarch 18, 1998 contract to complete development and testing, the FDIC awarded a $299,975\n\xe2\x80\x9cbridge contract\xe2\x80\x9d on May 21, 1998 for TAPS development and implementation. On the same\nday, the FDIC awarded another TAPS contract valued at $1.47 million to enhance and\nimplement TAPS. However, as with previous TAPS contracting actions, the FDIC had still not\ncompleted an FRD or EDD for TAPS.\n\nLess than a month after the May 1998 contracting actions, the TAPS Steering Committee\nsignificantly reduced the scope of the TAPS project. In June 1998, DIRM and DOA directed its\ncontractor to complete the TAPS FRD and EDD and in July 1998, discontinued development of\nTAPS. Management desired the completion of the FRD and EDD to refine requirements to\nsupport possible future development. At the completion of the project in July 1998, the FDIC\nhad expended over $6.5 million on TAPS and completed only two SDLC deliverable products,\nan FRD and EDD.\n\n\nRecommendations\n\nWe recommend that the Director, Division of Information Resources Management:\n\n\n(4) Ensure that pre-requisite SDLC phases are substantially complete and require SDLC\n    deliverable products to be finalized and approved by senior management before proceeding\n    with subsequent SDLC phases.\n\n(5) Ensure that system development contracts provide for specific SDLC deliverable products to\n    allow oversight managers to better monitor contractor progress.\n\n\n\n\n                                                11\n\x0cContractor Oversight Not Effective\n\nDIRM did not adequately oversee contractor activities related to the project and did not\neffectively communicate with contractor staff responsible for developing TAPS. Specifically,\nDIRM\'s oversight manager for TAPS did not ensure that requirements were defined and design\nissues resolved. In addition, DIRM\xe2\x80\x99s contract oversight manager did not regularly communicate\nthe contractor\xe2\x80\x99s concerns to senior DIRM or client management. We noted that these concerns\nwere being raised by the contractor in its weekly status reports throughout the project. Not\naddressing and resolving these issues in a timely manner caused inefficiencies and delays in the\ndevelopment process and resulted in the technically deficient system design that had to be re-\nperformed at additional costs to FDIC.\n\nThe contract required the TAPS contractor to perform its work in accordance with the FDIC\'s\nSDLC process. However, it did not require the contractor to develop or complete any specific\nSDLC deliverable products within a particular time period. Contracts of this nature typically\nrequire a higher degree of contractor oversight than contracts containing fixed deliverables and\ndelivery schedules. However, DIRM\'s contract oversight manager did not require the contractor\nto develop a project work plan for the project that met the criteria stated in the SDLC Manual\nand was required by the TAPS contract. Project work plans serve as a basic management tool for\noversight managers in monitoring contractor activities.\n\nAs early as August 1997, the FDIC\xe2\x80\x99s TAPS contractor began reporting in its weekly status\nreports that ongoing changes to TAPS screen designs could seriously impact the development\nschedule. In September 1997, the contractor began reporting that ongoing changes to TAPS\nsystem architecture requirements could dramatically alter TAPS design specifications and\nimplementation schedules. Although the TAPS Steering Committee decided to minimize screen\ndesign changes in September 1997, screen designs for some portions of the system continued to\nchange.\n\nOngoing changes to TAPS requirements and design continued to plague TAPS throughout the\nlife of the project. In its status report for the period of November 1-7, 1997, the TAPS contractor\nreported, "It is imperative that the screen designs be frozen immediately. This is essential so that\nprogress on the remainder of the development effort can continue based on known decisions\nthereby reducing the risk of re-work." By February 1998, the requirements and design issues had\nstill not been resolved. In its status report for February 21-28, 1998, the contractor stated, "a\nconsiderable number of issues remain open. Many of these issues directly affect system design\nand functionality. Delays in resolving these issues will negatively impact the project schedule."\n\nDespite the unresolved requirements and design issues, DIRM approved the contractor\'s\nproposed technical architecture for TAPS on February 26, 1998. Approximately 4 days later,\nDIRM verbally advised the contractor that the proposed TAPS architecture was technically\ndeficient and would not operate properly in the FDIC\'s planned three-tier architecture, even\nthough this architecture was still being designed. On April 27, 1997, the contracting officer for\nTAPS issued a letter to the TAPS contractor, rejecting its February 1997 invoice for\n$339,531.45, stating, "The product(s) delivered to the FDIC are unacceptable. Specifically, the\n\n\n\n\n                                                12\n\x0cexternal design of the system being developed was technically deficient as proposed and needed\nto be completely redone at additional cost in order for it to be workable."\n\nHowever, under the terms of the TAPS contract, the FDIC\'s contractor was not required to\nprovide any system deliverable products, but rather "systems development and implementation\nsupport services." In a May 7, 1998 letter to the contracting officer, the contractor stated that\nhad it been the FDIC\'s intent for the TAPS contract to be a product contract, then a contract\nadministration plan should have been prepared and delivered to the contractor. Such a plan\nshould have defined specific products and delivery requirements and defined the acceptable\ncriteria FDIC would use to measure required products. The contractor indicated that it never\nreceived such a plan. On\nMay 13, 1997, DIRM requested that the contracting officer pay the contractor\'s February 1998\ninvoice.\n\nDIRM\'s oversight manager for TAPS did not ensure that a project work plan was developed for\nthe project, as required by the FDIC\'s SDLC process. Project work plans serve as a basic\nmanagement tool for oversight managers in monitoring contractor activities. According to the\nFDIC\'s SDLC Manual, the purpose of a project work plan is to formally capture and document\nagreements among project participants regarding project scope, tasks, schedule, allocated\nresources, and interrelationships with other projects. The Manual states, "the Project Work Plan\nwill make clear the responsibility and accountability of the various parties." By securing an\ninformed agreement at the start, and revisiting the agreement throughout the project\'s life cycle,\ndevelopers can better prevent cost and schedule overruns and ensure that the project will meet\nexpected results.\n\nAlthough the contractor provided the DIRM project manager with a scheduling product that\nidentified required tasks and timeframes for completing those tasks, the scheduler did not provide the\ndetail prescribed by the FDIC\'s SDLC Manual. The SDLC Manual states, \xe2\x80\x9cProject Managers should\nuse Microsoft Project, an automated planning tool, to develop a work breakdown structure (WBS).\xe2\x80\x9d\nHowever, the WBS contains only one element of the project plan described in the FDIC\xe2\x80\x99s SDLC\nManual. Missing are important attributes of the plan, including project description, project team\ndescription, acquisition strategy, risk and control measures, required deliverables, and required\nreview authorities. In addition, the use of Microsoft Project as a TAPS planning tool was not\nimplemented as intended by the manual, because the TAPS project plan had no method of tracking\ntask resource requirements. Obtaining formal, senior management approval of a project work plan\nensures that management has the information necessary to make informed decisions on the project\nand that changes in the project\'s scope, costs, and time schedules are adequately controlled.\n\nRecommendations\n\nWe recommend that the Director, Division of Information Resources Management:\n\n(6) Ensure that oversight managers develop project work plans as prescribed by the FDIC\'s\n    SDLC Manual that contain measurable tasks and milestones, clearly defined roles,\n    responsibilities, and accountability and provide this information to senior management for\n    decision-making on IT projects.\n\n\n\n                                                 13\n\x0c(7) Ensure that oversight managers develop progress reports that compare results being\n     achieved to projected costs, benefits, and risks so that potential managerial, organizational,\n    or technical problems can be identified.\n\n\nDIRM\xe2\x80\x99s INTERNAL CONTROL PROCESS WAS NOT EFFECTIVE\n\nDIRM\xe2\x80\x99s implementation of a risk assessment program, as required by FDIC Circular 4010.3,\nFDIC Internal Control Programs and Systems, did not provide management with accurate\ninformation on risks and related controls. The FDIC implemented the program in accordance\nwith the Chief Financial Officers Act of 1990 to evaluate risks by accountability unit and to\nmeasure the effectiveness of controls to mitigate the risks.\n\nThe FDIC circular requires accountability unit managers to assess risks to their program areas\nand alert management to potential weaknesses. However, despite the significant problems\nencountered by FDIC on recent system development efforts, DIRM\xe2\x80\x99s Assistant Director,\nCorporate Applications Branch, rated all functions within his branch as a \xe2\x80\x9c1\xe2\x80\x9d (the lowest risk\nrating available) in February 1997. The Assistant Director also stated in his narrative,\n\xe2\x80\x9cCorporate Application Branch rates as \xe2\x80\x98Low Risk\xe2\x80\x99 the susceptibility of its functions to waste,\nloss, unauthorized use, or misappropriation.\xe2\x80\x9d\n\nBased on our reviews of system development projects since 1996 that showed the FDIC\xe2\x80\x99s own\nexperience with the lack of controls over the SDLC process and a history of several expensive\nprojects that were less than successful, this rating was not indicative of the controls over the\nprocess used to develop TAPS. Without accurately depicting the internal control environment\nwithin that branch, senior management officials will not have the information they will need to\ncorrect the deficiencies of that branch\xe2\x80\x99s control mechanisms.\n\n\nRecommendation\n\nWe recommend that the Director, Division of Information Resources Management:\n\n(8) Require senior management officials to accurately assess the controls over the SDLC process\n    being used within their areas of responsibility and implement effective controls when\n    existing controls are deficient.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn January 29, 1999, the Director, DIRM, provided a written response to the draft report. The\nresponse is presented in Appendix II to this report.\n\nThe Director, DIRM, stated that his office cannot unilaterally implement recommendations one\nand three because implementation of these recommendations would require the approval by the\n\n\n\n                                                 14\n\x0cIT Council. We agree with his statement. Subsequent correspondence with the Director and the\nSpecial Assistant to the Deputy to the Chairman and Chief Operating Officer indicated that the\nDeputy to the Chairman and Chief Operating Officer will convene a meeting to review the issues\nof cost-benefit analyses thresholds and IT Council approvals after this audit report is issued.\n\nThe Corporation\xe2\x80\x99s written response and subsequent correspondence provides the elements\nnecessary for management decisions on the report\xe2\x80\x99s recommendations.\n\n\n\n\n                                              15\n\x0c                                                                               APPENDIX I\n\n                       CHRONOLOGY OF KEY TAPS DATES\n\nDate\n\n1995\n\nJune        FDIC issued a Bi-Weekly Time and Attendance Project Task Force report that\n            recommended developing a fully automated time and attendance system in two\n            phases.\n\n1996\n\nApril       First phase of the development of a fully automated time and attendance\n            processing system, the Corporate Time and Attendance Worksheet was\n            implemented.\n\nNovember    OIG initiated TAPS audit.\n\n1997\n\nApril       TAPS development (Phase II) experienced problems and the effort was\n            redirected.\n\nMay/June    OIG met with FDIC management about the need to revisit the cost-benefit of\n            developing TAPS in-house and examine other alternatives, the need for more\n            detailed progress information, and the need for DIRM to discipline itself to\n            completing pre-requisite development phases before starting subsequent phases.\n            Management agreed to implement our oral suggestions.\n\nJuly        FDIC awarded a $1.9 million contract to develop TAPS in-house without\n            performing pre-requisite work contained in the OIG suggestions.\n\nAugust      TAPS contractor began raising concerns about continuing changes to\n            requirements and system architecture.\n\nSeptember   OIG issued final audit report on the shortcomings of the TAPS development,\n            formalizing our recommendations. Management agreed to implement the\n            recommendations.\n\nOctober     FDIC\xe2\x80\x99s Audit Committee requested OICM to evaluate the effectiveness of\n            controls in the FDIC\xe2\x80\x99s SDLC methodology. The OIG reviewed a revised draft\n            CBA and provided oral comments to management. The CBA still did not\n            consider other alternatives and projected cost savings were overly optimistic.\n\n\n\n\n                                            16\n\x0c                                                                             APPENDIX I\n\n                      CHRONOLOGY OF KEY TAPS DATES\n\nDate\n\n1997\n\nDecember   TAPS Steering Committee approved CBA supporting in-house development of\n           TAPS. OIG expresses concerns that CBA still did not consider other alternatives\n           and projected cost savings were overly optimistic. DIRM\xe2\x80\x99s Deputy Director\n           stated that projected cost savings were so significant that evaluation of other\n           alternatives was not warranted.\n\n1998\n\nJanuary\n   to\n  June     OIG worked with OICM and TAPS Steering Committee regarding CBA, internal\n           control issues, contractor oversight, and system architecture.\n\nFebruary   DIRM accepted and later rejected TAPS contractor\xe2\x80\x99s proposed system\n           architecture.\n\nMarch      OICM reported to the Audit Committee and confirmed OIG findings and\n           recommendations. TAPS Steering Committee approved $492,423 increase in\n           TAPS development contract (25 percent of original contract value) without\n           reassessing CBA and project risks.\n\nMay        TAPS Steering Committee awarded an additional $299,975 \xe2\x80\x9cbridge\xe2\x80\x9d contract for\n           the TAPS project. On the same day, the TAPS Steering Committee awarded\n           $1.47 million contract for TAPS development to a new contractor. Both\n           contracting actions taken without reassessing CBA and project risks.\n\nJune       TAPS project reduced in scope to finish FRD and EDD.\n\nJuly       TAPS Steering Committee terminated the project.\n\n\n\n\n                                          17\n\x0c                                                                                                     APPENDIX II\nFDIC\nFederal Deposit Insurance Corporation\n3501 North Fairfax Drive. Arlington, VA 22226         Division of Information Resources Management\n\n\nJanuary 29, 1999\n\n\n\nMEMORANDUM TO:                         David H. Loewenstein\n                                       Assistant Inspector General\n\n\nFROM:                                  Donald C. Demitros\n                                       Director\n\nSUBJECT:                               Revised Response to Draft Report Entitled Audit of the Time and\n                                       Attendance Processing System (TAPS) Development Project\n\nBased on meetings held on January 7th and 27th to discuss the response to the Draft Audit Report, the\nDivision of Information Resources Management (DIRM) revised its response to address OIG\nconcerns. This revised response also provides clarification for some specific items discussed in the\nmeetings.\n\nIn general, the recommendations in this report focus on breakdowns in the project management\nprocess. DIRM recognizes this and has strengthened existing processes and established new\nmechanisms to address this overall problem. These include: more complete and robust IT plans for\nall projects; new management reporting; new guidelines for cost benefit analysis; post\nimplementation reviews; and internal controls which tie to the steps in the SDLC.\n\nCurrently, each project that exceeds $200,000 has an IT Plan established at its inception along\nwith appointment of a project owner from the requesting division or office. New information is\nnow being captured in the IT Plan including early warning, overall project issues, budget issues,\nproject justification, milestones, budget, and expenditures. This data is being used to produce a\nnew management report highlighting budget variances, project slippage, and project risks such as\npoor customer participation, project scope creep, technical challenges, staffing issues, contractor\nperformance/management. Strict adherence is placed on cost and schedule. Expenditures for\nthese projects are automatically updated via a direct tie to the DIRM budget system and requests\nto change completion dates for major project milestones require Branch Chief approval or higher\nfor key projects. In addition, during the annual budget formulation process, the funding and\njustification of the project is reviewed by the requesting division\xe2\x80\x99s line management, the IT\nTechnical Committee, and the IT Council. Processes have been established to insure that any\nsignificant changes in major projects are brought before the IT Technical Committee for review\nand approval.\n\n\n\n\n                                                         18\n\x0c                                                                                  APPENDIX II\n\nNew procedures for conducting a cost benefit analysis, based on OMB and DOF guidelines, have\nbeen published and are being used on projects such as ETVS and CHRIS. These procedures will\nbe formally published with the next release of the SDLC. DIRM is now conducting post\nimplementation reviews, which include a level of review to assess a project at the time of design,\nas well as looking at a project after its implementation.\nAlso, our new internal controls are now tied to the specific SDLC processes to ensure that we are\nadhering to our development methodology. Following approval of the new management control\nplan for systems development, a copy will be provided to the OIG.\n\nFor recommendations 1-4, 6 and 7, DIRM will reemphasize specific requirements and\nresponsibilities to all project managers by March 31, 1999. This will be accomplished through\nthe issuance of a memorandum from the Director of DIRM to all project managers clearly\ncommunicating the policies referenced in this response. DIRM will also submit a revision to the\nSDLC to emphasize these policies by April 30, 1999.\n\nDIRM believes that the above actions will address the overall recommendations included in this\nreport. The following outlines DIRM corrective actions already taken or planned (including\nanticipated due dates) in response to each individual recommendation.\n\nRecommendation 1\n\n       Modify the FDIC\xe2\x80\x99s SDLC process to require a formal evaluation of feasibility and cost-\n       benefits for alternative solutions to satisfy the FDIC\xe2\x80\x99s system development\n       requirements and present this information to the FDIC\xe2\x80\x99s IT Council for approval\n       before committing significant life cycle resources to a particular alternative.\n\nCorrective Action\n\n       The SDLC currently requires a project budget package, including a formal evaluation of\n       alternatives, be prepared for all corporate projects expected to exceed the IT Dollar\n       threshold. This threshold, currently set at $3 million, and a new formal CBA format now\n       exist but were not in place when TAPS was initiated. These new guidelines and IT dollar\n       threshold, which are consistent with the DOF Directive on Cost Benefit Analysis\n       Methodology for the Purchase or Development of Capital Assets (Circular 4310.1), have\n       been used for recent projects, such as: the Structure Information Management System;\n       Electronic Travel Voucher Processing System (ETVPS); and other non-application\n       projects. They are also being used to perform the Cost Benefit Analysis for the new\n       Corporate Human Resources Information System (CHRIS). Also, IT Plans are required\n       for all projects exceeding $200,000 and, for any of these projects that are new, a cost\n       justification must be developed which includes the full life cycle costs and benefits for\n       the proposed alternative. These procedures and the IT Dollar thresholds will be formally\n       published with the next release of the SDLC, which will clearly state the requirement for\n       performing CBA\xe2\x80\x99s. DIRM, with the IT Committee, will, by April 30, 1999, also review\n       the current dollar threshold to determine whether it warrants adjustment. As an interim\n\n\n\n                                                19\n\x0c                                                                                     APPENDIX II\n\n      measure, the new guidelines (Attachment 1) and IT dollar threshold will be reemphasized\n      and formally communicated to all project managers by March 31, 1999.\n\n      DIRM will reinforce its efforts to review project progress with clients, ensuring their\n      clear understanding and obtaining their approval of both original cost-benefit analyses,\n      and changes that modify the results of those analyses. DIRM also will present the initial\n      CBA and any updates for projects over $3 M to the IT Technical Committee. The IT\n      Technical Committee will report any project issues to the IT Council.\n\nRecommendation 2\n\n      Maintain current, accurate, and complete cost-benefit information throughout the\n      project and regularly compare this information to that which was relied upon by senior\n      management at the outset of the project.\n\nCorrective Action\n\n      DIRM agrees that accurate cost-benefit information should be maintained and that it is the\n      responsibility of the project managers to do so. It is also the project manager\xe2\x80\x99s responsibility\n      to review this information at critical points and alert senior management of any deviations\n      (schedule setbacks, cost overruns) that warrant revision of the cost-benefit information or\n      reevaluation of the project by senior management. DIRM will, by March 31, 1999, modify\n      the new Cost Benefit Analysis guidelines to require project managers to review this\n      information at critical points and alert senior management of any deviations (schedule\n      setbacks, cost overruns) that warrant revision of the cost-benefit information or reevaluation\n      of the project.\n\nRecommendation 3\n\n      Revise the FDIC\xe2\x80\x99s SDLC Manual to require project staff to advise senior\n      management when significant deviations occur in the project\xe2\x80\x99s cost-benefit\n      information, timelines for implementation, or risk and present this information to\n      the FDIC\xe2\x80\x99s IT Council for approval prior to proceeding with the project.\n\nCorrective Action\n\n      Alerting senior management to significant deviations in cost-benefit information, timelines,\n      or increased risk is now required of all DIRM project managers. Corrective actions already\n      have been taken to ensure that the problems experienced with TAPS do not reoccur. IT\n      plans, required for all projects exceeding $200,000 in expenditures, have warning flags\n      automatically set to alert senior management when completion dates for major project\n      milestones are slipping (Refer to Attachment 2). These flags are reviewed monthly and\n      project managers are required to report to DIRM senior management to explain the issues\n      and obstacles causing the warning flags. Changes to schedules and projected cost\n\n\n\n                                                20\n\x0c                                                                                 APPENDIX II\n\n      expenditures are tightly controlled. A Branch Chief must approve changes to schedules on\n      all projects. The expenditures are automatically updated, and therefore controlled via the\n      budget system. These requirements will be formally reemphasized and communicated to all\n      project managers by March 31, 1999.\n\n      Also, the CHRIS Steering Committee has developed a charter outlining their roles and\n      responsibilities \xe2\x80\x93 the charter tasks the Steering Committee with the responsibility for\n      ensuring that the project stays on schedule and within budget. The Committee will hold\n      meetings every three weeks at which the project managers will report on progress versus the\n      project plans and budget, and advise the Committee of any potential obstacles or previously\n      unforeseen risks.\n\n      The IT Council provides the approval authority for the initiation of IT systems development\n      projects. It is the responsibility of project managers and, if appropriate, Steering\n      Committees, to ensure projects are reviewed and reevaluated at critical management\n      checkpoints during the life cycle of the systems development effort. In addition, schedule\n      slippage of more than 60 days or projected cost overruns of more than 20 percent for any\n      major project will be presented to the IT Technical Committee for management action. The\n      IT Committee will report these project issues to the IT Council. DIRM will arrange, by\n      March 31, 1999, for the OIG to meet with the IT Committee to discuss the OIG proposal to\n      change the charters of the IT Committee or IT Council to approve such deviations to project\n      schedules or costs.\n\n\nRecommendation 4\n\n      Ensure that prerequisite SDLC phases are substantially complete and require SDLC\n      deliverable products to be finalized and approved by senior management before\n      proceeding with subsequent SDLC phases.\n\n\nCorrective Action\n\n      All DIRM project managers are responsible for ensuring that prerequisite SDLC phases are\n      substantially complete and approved prior to proceeding with subsequent SDLC phases.\n      This process is in place but was not regularly adhered to during the TAPS systems\n      development effort. Corrective actions have been taken to address these problems. As a\n      model for major projects, the CHRIS Steering Committee Charter outlines specific\n      responsibilities of the Committee, including ensuring that prerequisite phases of the SDLC\n      are substantially complete prior to proceeding with succeeding phases. The Committee\n      meets every three weeks at which time the project managers report on progress versus the\n      project work plan and the completion of specific SDLC deliverables.\n\n      The requirement to ensure that prerequisite SDLC phases are substantially complete and\n\n\n\n                                              21\n\x0c                                                                                 APPENDIX II\n\n      approved prior to proceeding with subsequent SDLC phases will be highlighted in the next\n      SDLC revision. This requirement will be formally reemphasized and communicated to all\n      project managers by March 31, 1999.\n\nRecommendation 5\n\n      Ensure that system development contracts provide for specific SDLC deliverable\n      products to allow oversight managers to better monitor contractor progress.\n\nCorrective Action\n\n      Once oversight of the TAPS contractor was found to be inadequate, steps were\n      successfully taken to correct these problems \xe2\x80\x93 for example, on-site contractor oversight\n      was provided, and daily project status meetings were held to more closely monitor the\n      contractor\xe2\x80\x99s progress.\n\n      To ensure the lessons learned from the TAPS project carry over to subsequent\n      development projects, DIRM began a contracting improvement project that includes nine\n      major initiatives. Among the nine initiatives is the development of an expanded\n      description of SDLC requirements for all systems development contracts, and a\n      consultant\xe2\x80\x99s review of IT Acquisition best practices. The best practice review will look\n      for ways to improve the actual systems development contract vehicles to ensure that\n      DIRM receives optimal IT services and products from its systems development contracts.\n\n      DIRM will also review all existing systems development contracts by March 31, 1999, to\n      ensure they contain language requiring appropriate SDLC deliverable products. DIRM\n      and ASB have developed standard statement of work (SOW) language for systems\n      development contracts to ensure that the appropriate SDLC deliverable products are\n      specified in all future contracts. This standard language is currently undergoing internal\n      review and is expected to be ready for communication to all Oversight Managers by\n      March 31, 1999.\n\nRecommendation 6\n\n      Ensure that oversight managers develop project work plans as prescribed by the\n      FDIC\xe2\x80\x99s SDLC Manual that contain measurable tasks and milestones, clearly defined\n      roles, responsibilities, and accountability and provide this information to senior\n      management for decision-making on IT projects.\n\n\n\n\n                                              22\n\x0c                                                                                   APPENDIX II\nCorrective Action\n\n      Project managers currently develop project work plans with the appropriate SDLC tasks,\n      milestones, roles, and responsibilities. Plans developed for TAPS were not adhered to\n      consistently and corrective action has already been taken to ensure this does not reoccur with\n      future (major) IT projects.\n\n      For example, the CHRIS Steering Committee will meet regularly and be briefed by the DOA\n      and DIRM project managers to ensure that the work plans are reasonable and schedules are\n      being met.\n\n      DIRM will continue to place emphasis on robust project work plans that adhere to the\n      FDIC\xe2\x80\x99s SDLC and are regularly presented to senior management to help with decision\n      making. DIRM will formally reemphasize and communicate these requirements to project\n      managers by March 31, 1999.\n\nRecommendation 7\n\n      Ensure that oversight managers develop progress reports that compare results being\n      achieved to projected costs, benefits, and risks so that potential managerial,\n      organizational, or technical problems can be identified.\n\nCorrective Action\n\n      DIRM project managers are required to update information in their respective IT Plans\n      including budget, cost, milestones, and management issues on a monthly basis. Management\n      reports are produced from the data in the IT Plan database which highlight budget variances,\n      project slippage, and overall project risks. These reports are used in project review meetings\n      with DIRM senior management and project managers. DIRM will formally reemphasize and\n      communicate the requirement to update the IT Plans on a monthly basis to project managers\n      by March 31, 1999.\n\nRecommendation 8\n\n      Require senior management to accurately assess the controls over the SDLC process\n      being used within the areas of their responsibility and implement effective controls\n      when existing controls are deficient.\n\nCorrective Action\n\n      DIRM has recently completed a redesign of its internal control program, which includes\n      an assessment of the risks, control objectives and control techniques for all DIRM\n      operations, including systems development. By March 31, 1999, DIRM will conduct a\n      review of the identified controls over the SDLC process to determine if additional\n      controls are warranted.\n\n\n\n                                               23\n\x0cPlease address any questions to Mr. Rack Campbell, DIRM\xe2\x80\x99s Audit Liaison, at 516-1422.\n\nAttachment\n\n\n\n\n                                             24\n\x0c                                                                                                                                                                      APPENDIX III\n                                                                  MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual reports to the Congress. To consider\nFDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are necessary. First, the response must describe for each recommendation\n\n    \xc2\xa7    the specific corrective actions already taken, if applicable;\n    \xc2\xa7    corrective actions to be taken together with the expected completion dates for their implementation; and\n    \xc2\xa7    documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any disagreement. In the case of questioned\ncosts, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation confirming completion of corrective actions are\nresponsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The information for management decisions is\nbased on management\xe2\x80\x99s written responses to our report and subsequent discussions with management.\n                                                                                                                 Documentation That                             Management\n   Rec.                                                                                 Expected                     Will Confirm            Monetary          Decision: Yes or\n Number                  Corrective Action: Taken or Planned/Status                  Completion Date                 Final Action             Benefits                No\n               DIRM will reemphasize specific requirements and\n               responsibilities to all project managers through the issuance of                                     Specific changes to the\n               a memorandum by March 31, 1999. DIRM will also submit a                                                SDLC Manual and\n     1         revision to the SDLC to emphasize these polices by                        April 30, 1999                                           None                  Yes\n                                                                                                                    memorandum to project\n               April 30, 1999. DIRM, with the IT Technical Committee, will                                                managers.\n               review current CBA dollar thresholds.\n               DIRM will reemphasize specific requirements and                                                       Specific changes to the\n               responsibilities to all project managers through the issuance of                                     SDLC Manual, modified\n               a memorandum by March 31, 1999. DIRM will also submit a                                                                                                  Yes\n     2                                                                                   April 30, 1999               CBA guidelines and          None\n               revision to the SDLC to emphasize these polices by                                                   memorandum to project\n               April 30, 1999. DIRM will modify CBA guidelines.                                                            managers.\n               DIRM will reemphasize specific requirements and\n               responsibilities to all project managers through the issuance of                                     Specific changes to the\n               a memorandum by March 31, 1999. DIRM will also submit a                                                SDLC Manual and\n     3         revision to the SDLC to emphasize these polices by                        April 30, 1999             memorandum to project         None                  Yes\n               April 30, 1999. DIRM will arrange for the OIG to meet with IT                                        managers. OIG meeting\n               Council to discuss the changes in charters of the IT Council and                                      with the IT Council.\n               Technical Committee.\n\n\n\n\n                                                                                             25\n\x0c                                                                                                                          APPENDIX III\n\n                                        MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\n\n\n    DIRM will reemphasize specific requirements and\n    responsibilities to all project managers through the issuance of                     Specific changes to the\n    a memorandum by March 31, 1999. DIRM will also submit a                             SDLC Manual guidelines\n4                                                                      April 30, 1999                              None    Yes\n    revision to the SDLC to emphasize these polices by                                    and memorandum to\n                                                                                           project managers.\n    April 30, 1999.\n                                                                                         Specific changes to the\n    DIRM will review all existing system development contracts to\n                                                                                           SDLC Manual and\n5   ensure contracts require specific deliverables and communicate     March 31, 1999                              None    Yes\n                                                                                           communication to\n    this to all oversight managers.\n                                                                                          oversight managers.\n    DIRM will reemphasize specific requirements and\n    responsibilities to all project managers through the issuance of                     Specific changes to the\n    a memorandum by March 31, 1999. DIRM will also submit a                             SDLC Manual guidelines\n6                                                                      April 30, 1999                              None    Yes\n    revision to the SDLC to emphasize these polices by                                    and memorandum to\n                                                                                           project managers.\n    April 30, 1999.\n    DIRM will reemphasize specific requirements and\n    responsibilities to all project managers through the issuance of                     Specific changes to the\n    a memorandum by March 31, 1999. DIRM will also submit a                             SDLC Manual guidelines\n7                                                                      April 30, 1999                              None    Yes\n    revision to the SDLC to emphasize these polices by                                    and memorandum to\n                                                                                           project managers.\n    April 30, 1999.\n                                                                                          Documentation of\n    DIRM will conduct a review of the identified controls over the\n8                                                                      March 31, 1999   DIRM\xe2\x80\x99s internal control    None    Yes\n    SDLC process to determine if additional controls are warranted.\n                                                                                              review.\n\n\n\n\n                                                                           26\n\x0c'